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(54) TiUc: INTERCEPTION METHOD AND SYSTEM 
(57) Abstract 



An interception method and sys- 
tem for perfoiming a lawful interception 
in a packet networic such as the GPRS 
or UMTS network is described. A first 
network element having an interc^ting 
function for intercepting data packets is 
provided, said interception function be- 
ing controlled by an interception con- 
trol means implemented in a second net- 
work element, wherein an intercepted 
data packet is transmitted from the first 
network element via the packet network 
to an interception gateway element pro- 
viding an interface to an intercepting au- 
thority. The intercepted data packet is 
transmitted via a secure tunnel provided 
by an encryption processing. The inter- 
ception control means and the intercep- 
tion gateway element may both be in- 
tegrated in the second network element. 
Hie interception system has a clear ad- 
vantage in scalability, no single point 
of failure, and an adaptation to different 
authority interfaces can be implemented 
only in the interception gateway. The 
network elements can be similar to a 
high extent for all different authority re- 
quirements. 
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FIELD OF THE INVENTION 

The present invention relates to an interception method and 
system for performing a lawful interception in a packet 
10 network such as the GPRS (General Packet Radio Services) or 
the UMTS (Unversal Mobile Telecoxiununications System) 
network. 

BACKGROUND OF THE INVENTION 

15 

The provision of a lawful interception is a requirement of 
national law, which is usually mandatory. From time to 
time, a network operator and/ or a service provider will be 
required, according to a lawful authorization, to make 
2 0 available results of interception relating to specific 
identities to a specific intercepting authority or Law 
Enforcement Agency (LEA) - 

There are various aspects of interception. The respective 
25 national law describes under what conditions and with what 
restrictions interception is allowed. If an LEA wishes to 
use lawful interception as a tool, it will ask a 
prosecuting judge or other responsible body for a lawful 
authorization, such as a warrant. If the lawful 
30 authorization is gremted, the LEA will present the lawful 
authorization to an access provider which provides access 
from a user's terminal to that network, to the network 
operator, or to the service provider via an administrative 
interface or procedure. When a lawful interception is 
35 authorized, an Intercept Related Information (IRI) and the 
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content of the corresponding communication is delivered to 
the LEA. ' 

In particular, the lawful authorization may describe the 
5 IRI and the content of the communication that are allowed 
to be delivered for this LEA, investigation, period and 
interception subject* For different LEAs and for different 
investigations, different constrains can apply that further 
limit the general borders set by the law. The interception 
10 subject may also be described in different ways in a lawful 
authorization , e.g. subscriber address , physical address , 
services etc , 

Such a lawful interception functionality is also needed in 
15 the packet switched part of new mobile data networks such 
as the GPRS and the UMTS. 

Lawful interception is based on an EU Council resolution, 
which concerns all telecommunications systems, not only 
20 mobile ones. The European Telecommunications Standards 
Institute (ETSI) has defined further technical 
requirements. These requirements define three interfaces: 

XI: administrative tasks (may be on paper or fax) 
25 X2 : network signaling (near real time) 

X3 : intercepted user data (near real time) 

The interface XI carries interception requests, 
authorization documents, encryption keys and the like. The 
30 exact definitions of the three interfaces are left to local 
legislation and authorities. 

Several approaches have been proposed so far. According to 
a hub approach, a hub is added to the GPRS backbone, such 
35 that all sessions will pass through the hub. The benefit of 
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the system is that the SGSN (Serving GPRS Support Node) and 
the GGSN (Gateway GPRS Support Node) does not have to know 
anything about the lawful interception functionality. The 
hub consists of a pseudo GGSN interface and a pseudo SGSN 
5 interface, between which a Lawful Interception Node (LIN) 
is arranged. 

However, a drawback of this approach is scalability. The 
LIN must be able to process all data packets in the 
10 backbone- Moreover, it constitutes a single point of 

failure. If the LIN crashes, the whole network will halt. 
Therefore, the LIN will be very expensive, probably the 
most expensive element in the whole network. 

15 Fig. 1 shows a principle block diagremi of another so-called 
SGSN/GGSN approach, where the whole interception function 
is integrated into a combined SGSN/GGSN element. Every 
physical SGSN/GGSN element is linked by an own XI interface 
to an administrative fxinction. ... 

20 

According to Fig. 1, the access method for delivering a 
GPRS interception information is based on a duplication of 
packets transmitted from an intercepted subscriber via the 
SGSN/GGSN element to another party. The duplicated packets 
25 are sent to a delivery function for delivering the 

corresponding IRI and content of communication to the LEA. 

If there are several SGSN/GGSN elements, this system does 
not have a single point of failure. Moreover, it is 

30 scalable in the sense that new lawful interception capacity 
can be installed with every addition of new SGSN/GGSN 
elements to the backbone. However, with every installation 
of new SGSN/GGSN elements, new interfaces to the 
administrative function are required and there is no 

35 natural growth path to the UMTS. 
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SUMMARY OF THE INVENTION 

It is an object of the present invention to provide a 
5 flexible and scalable interception method and system. 

This object is achieved by an interception method for 
performing a lawful interception in a packet network, 
comprising the steps of: 
10 providing a first network element having an interception 
fvmction for intercepting data packets; 

controlling the interception fimction by an interception 
control means implemented in a second network element; and 
transmitting an intercepted data packet from the first 
15 network element via the packet network to aua interception 
gateway element providing an interface to at least one 
intercepting authority. 

Additionally, the above object is achieved by an 
20 interception system for performing a lawful interception in 
a packet network, comprising: 

a first network element having an interception function for 
intercepting data packets and comprising a transmitting 
means for transmitting an intercepted data packet to the 

25 packet network; 

an interception control means implemented in a second 
network element and controlling the interception function; 
and 

an interception gateway element having a receiving means 
3 0 for receiving the intercepted data packet and an interface 
means for providing an interface to at least one 
intercepting authority. 

Accordingly, the interception control and gateway 
35 functionalities can be removed from the network elements 
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that process user data. Thereby, the following advantages 
can be achieved. 



The system is easily scalable, because new LIN capacity can 
5 be added as the load increases. Therefore, the LINs 

themselves are comparable to personal computers. Moreover, 
the interception gateway function can be distributed over 
several units, wherein several tunnels can be established 
from one LIN without adding hardware to it. In the same 

10 manner, the interception fxinction controlled by the 
interception control means implemented in the second 
network element may send the intercepted data packet to 
another network element or a plurality of other network 
elements . 

15 . 

If an LIN fails, some interception functions may not be 
available, but the network is still able to work. Even the 
failure of the LIG does not hold the network. The LINs and 
"LIG are practically hot "swappable, i.e". they can be 

20 replaced without interrupting the operation of the network. 

Furthermore, new network elements such as a point- to- 
multipoint service center or a multimedia messaging service 
center may be added to the network. However, this does not 

25 require new lawful interception fimctions to be integrated 
thereinto. The same holds for UMTS nodes, even though they 
may rec[uire more powerful processors due to higher 
bandwidths . Thus, the same back bone will simulteuieously 
support both GPRS and UMTS, such that the growth to third 

30 generation systems is simplified. 

Since only the LIG comprises the Xn interfaces to the LEA, 
it can act as a mediation device towards different LEA 
requirements. When the requirements change, only the LIG 
35 needs to be reprograramed . The LIG and/ or the LIN might even 
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be sold as separate customizable products to other (non- 
mobile) IP networks. 

The interception gateway element may also be integrated in 
5 the second network element. 

Preferably, the header of a data packet is read by the 
first network element and data packets to be intercepted 
are duplicated. The intercepted data packet may be 
10 transmitted to the interception gateway element using a 
secure tunnel which may be implemented by an encryption 
processing- Thereby, no separate transmission lines are 
required which would be vulnerable to physical attacks by 
the operator ' s personnel . 

15 

In case the first network element and the interception 
gateway element are arranged in separate network segments, 
the intercepted data packet can be transmitted via 
interworking units and encrypted between the interworking 
20 units. 

Preferably, one first network eleiment having the 
intercepting function is provided in each network segment 
of the mobile packet network. 

25 

Furthermore, received intercepted data packets are 
collected in the interception gateway element and supplied 
to an interface of the at least one intercepting authority. 
The interface may comprise a first interface for 
30 administrative tasks, a second interface for network 

signaling, and a third interface for intercepted user data. 

The intercepting function of the first network element may 
comprise a packet sniffing and filtering function. In 
35 particular, the intercepting function may be implemented in 
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the Gn interface excluding any tremsmission. In detail, the 
interception function may comprise reading data packets, 
analyzing the header of the data packets as to whether the 
data packet should be intercepted or not, stnd transmitting 
5 the data packet to the interception gateway element, and a 
mctnagement function for interception and transmission 
criteria. 

Preferably, an alarm may be transmitted to the interception 
10 gateway element and all interception information of the 
respective first network element may be deleted, when a 
breakage of a casing or another malfunction of the first 
network element has been detected. Thereby, an unwanted 
access to the interception data can be prevented. 

15 

Moreover, fake packets can be tramsmitted from the first 
network element to the interception gateway element. The* 
fake packets can be transmitted at random or triggered at 
any passing packet. This can be done in such a mcinner that 

20 the total load of intercepted and fake packets transmitted 
to the interception gateway element is constant. Thereby, 
the operating personnel cannot use a timing analysis to 
detect whose packets are being intercepted. Additionally, 
the true interception activity cannot be determined, if the 

25 load of the intercepted data packets is constant. 

Additionally, the intercepted data packets may always be 
padded to a maximum length, which further obstruses the 
interception activity. 

30 

Preferably, a time stamp may be added to the intercepted 
data packets. Thereby, the interception information can be 
stored in a slow or off-line memory before delivery to the 
intercepting authority, such that real time requirements of 
35 the first network element, the interception control means 
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and the interception gateway element and the intercepting 
authority can be relieved. 

The first network element may comprise a reading means for 
5 reading a header of a received data packet and for 

duplicating a data packet to be intercepted. This reading 
means can be arranged to pad the duplicated data packet to 
a maximum length. 

10 Moreover, the first network element may be a gateway 

element such as a BG (Border Gateway) , a GGSN (Gateway GPRS 
Support Node) , eind a serving node such as an SGSN (Serving 
GPRS Support Node) . In this case, an information on which 
connections to intercept may preferably be stored in the 

15 PDP context information of the respective connections, 
which is a record used to route the data packets of a 
connection in a correct manner. Thus, the information on 
whether or hot a data packet needs to be intercepted is 
readily available each time a packet is being routed. 

20 Thereby, the resources required for the interception 
function can be minimized. 

The first network element may comprise a control means for 
controlling interception and encryption processing in 
25 accordance with an interception setting instruction 
received from the interception gateway element. 

. Furtheimore , the interception gateway element may comprise 
a memory means for storing received intercepted data 
30 packets before supplying them to the interface meauris. 

Moreover, the interception gateway element may comprise a 
decryption means for decrypting received intercepted data 
packets, an extraction means for extracting intercepted 
data packets from fake data packets, euid a means for adding 
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the time information to the received intercepted data 
packets before storing them in the memory means. 

The first network element may comprise a detecting means 
for detecting a breakage of a casing of the first network 
element, and a signaling means for signaling an alarm to 
the interception gateway element in response to cin output 
of the detecting means, 

BRIEF DESC RIPTION OF THE DRAWINGS 

■ ■ I. ■ ■■■■ ' t 

In the following, the present invention will be described 
in greater detail on the basis of a preferred embodiment 
with reference to the accompanying drawings, in which: 

Fig* 1 shows a principle block diagram of a known system 
for performing a lawful interception. 

Fig, 2 shows a principle block diagram of a system for 
performing a lawful interception according to the preferred 
embodiment of the present invention. 

Fig, 3 shows, a flow and information transfeir diagram of a 
method for performing a lawful interception according to 
the preferred embodiment of the present invention. 

Fig. 4 shows a principle block diagram of an interception 
node connected via a packet network to an interception 
0 gateway according to the preferred embodiment of the 
present invention. 
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DESCRIPTION OF THE PREFERRED EMBODIMENT 

In the following, the preferred embodiment of the method 
and system according to the present invention will be 
described on the basis of a mobile packet network such a 
GPRS or UMTS network, as shown in Fig. 2, 

According to Fig. 2, remote sites which may comprise an 
Ethernet segment or only an SGSN, and a headquarters 
Ethernet segment are connected to an ATM WAN (Asynchronous 
Tr2insf er Mode Wide TVrea Network) . Each segment with a GGSN 
or a BG is equipped with a lawful interception node (LIN) 
or packet sniffer. The remote stsuid-alone SGSN does not 
have to be equipped with cui LIN. The LIN not necessarily 
has to be a separate network element but Ccm be integrated 
into the same physical unit as the GGSN or the BG- 

The LINs are arranged as passive packets sniffers used for 
reading and duplicating" intercepted data packets Each 
Ethernet secpxient must have one LIN, so that all data 
packets transmitted via the backbone can be intercepted. It 
is to be noted, that an independent LIN requires a 
broadcast backbone such as the Ethernet, whereas a LIN 
implemented by a GPRS support node (GSN) is able to share 
the sane interface and intercept all data packets • The LIN 
may be implemented in any GSN, including an SGSN. 

Each LIN is arrcuiged as a packet sniffer and filter, 
essentially a personal computer with an Ethernet interface 
and a GTP protocol stack. In effect, each LIN may implement 
a Gn interface as defined in the GSM specification 09.60. 
In this case, the LIN is arranged as a passive listening 
node which is able to read the GPRS Tunneling Protocol 
(GTP) . Nevertheless, despite the passive listening 
fiinction, the LIN is arranged to transmit to the LIG via 
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the same physical interface which also runs the Gn 

interface, but at a different TCP (Transmission Control 

Protocol) or UDP (User Datagram Protocol) port. 

5 The data packets intercepted by the LINs are collected by a 
lawful interception gateway (LIG) which supplies them to 
the XI, X2 and X3 interfaces of at least one intercepting 
authority (LEA) . In case several LEAs are connected to one 
LIG, the LiEAs may even access the same target connection 
10 with different authorizations, i.e. one LEA may only 

monitor the target connection via the X2 interface, while 
another LEA performs cm interception by using also the X3 
interface. 

15 The LINs are configured to intercept at a maximum level. It 
is thus the task of the LIG to deliver only that part of 
the intercepted information, which the respective LEA is 
authorized to receive. In this way, the decision on the 
"kind and destination of* the information to be delivered is 

20 concentrated at the LIG, such that the structure of the 
LINs can be kept simple . 

At the headquarters Ethernet, the correspoding LIN and LIG 
may integrated in a single network element, as shown, in 
25 Fig. 3, Alternatively, a separate LIN and LIG may be 
provided in the Ethernet segment. 

A call which is transmitted via the network passes two of 
three functionalities, i.e. the BG, the GGSN or SGSN. For 
30 reasons of economy, it is sufficient to equip each side 

having a GGSN or BG with an LIN. Thereby, emy call can be 
intercepted. 

In the following the method for performing lawful 
35 interception according to the preferred embodiment is 
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described with reference to Fig. 3. Fig. 3 shows a flow and 
information transfer diagram which is to be read from the 
top to the bottom. 

5 According to Fig. 3, an initial interception request is 
issued from the LEA to the LIG. In fact, the LEA passes a 
lawful authorization to the network operator, access 
provider or service provider. The network operator, access 
provider or service provider determines the relevant target 

10 identities from the information given in the lawful 

authorization. Then, the network operator, access provider 
or searvice provider commands sin interception control unit, 
used for controlling the interception functions of the 
LINs, to provide a corresponding interception information 

15 to the LIN of the relevant target identity- The 

interception control unit can be arranged in the LEA (as in 
the case of Fig. 3) or in a separate network element. 

..SuLbsequently, . .the .,interception,.control unit transmits the 

2 0 required LIN settings via the packet network to the 

corresponding LIN. In response to the receipt of the LIN 
settings, the LIN performs a packet interception and 
duplicates those packets which are to be intercepted based 
on their header information. Then, the intercepted packets 
25 are encrypted and fake packets are generated and added to 
the intercepted packets. These encrypted and blurred data 
packets are transmitted via corresponding interworking 
units (IWU) through the ATM WAN to the LIG. Due to the 
encryption processing, a secure tunnel is established, 

3 0 although the intercepted data packets are transmitted via a 

normal channel of the packet network. 

However, it is noted that any other kind of transmission 
and/or transmission channel can be iir^lemented for 
35 transmitting the intercepted data packets in the preferred 
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embodiment, as long as the required security can be 
established. 

At the lilG, the received data packets are collected and 
5 evaluated so as to generate the interception related 
information (IRI) and the content of the intercepted 
communication, which are finally treinsmitted via the X3 
interface to the LEA, 

10 In the following, the LIN and LIG is described in greater 
detail with reference to Fig. 4. It is noted that the 
interworking units IWU according to Fig, 2 are not shown in 
Fig. 4, 

15 According to Fig. 4, the LIN is arranged to perform the 
following functions, which may be established either as 
software elements or as discrete hardware elements. 

-The LIN comprises a switching means 14 for receiving and 

20 transmitting data packets from/to the network cuid for 
supplying them to a packet reading means 11 where the 
header of the extracted data packet is read and euialyzed as 
to whether the data packet should be intercepted or not. 
The intercepted data packet is supplied to an encryption 

25 means 12 arranged to encrypt the data packet to thereby 

implement a secure tunnel. Additionally, the encrypted data 
packets may be supplied to a means 13 for adding fake 
packets to thereby obscure the interception activity. The 
encrypted and fake data packets are supplied to the 

30 switching meains 14 in order to be transmitted via the ATM 
WAN to the LIG. The fake packets may be transmitted at 
random time or triggered by any passing packet. Moreover, 
the packet reading means 11 or the encryption means 12 
could be arranged so as to pad the intercepted packet to a 

35 maximiom length. 
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Furthermore, the control means 15 may perform a control so 
as to delay the intercepted data packets for a random 
period, to thereby render it difficult determining who is 
5 being intercepted. However, in this case, an additional 

information defining the actual interception moment or the 
delay should be added to the data packet transmitted to the 
LIG. 

10 Generally, a constsuit load of lawful interception packets 
should be provided irrespective of the true interception 
activity . Providing a constant interception load 
facilitates billing, obviates monitoring of interception 
traffic, and blurs the true interception activity. 

15 

Furthermore, the LXN coit^rises a control means 15 arremged 
to control the other means of the LIN on the basis of an 
interception control information regarding interception 
criteria and the secure tunnel, which has been received 
20 from the interception control unit provided in the LIG or a 
separate network element via the switching means 14. 

Additionally, a detecting mecuis (not shown) may be provided 
for detecting a breakage of a casing of the LIN. In this 

25 case, a signaling means (not shown) may also be provided 
for transmitting an alarm to the LIG cuid instructing the 
control means 15 so as to erase all interception 
information such as filter settings and the like from an 
LIN memory (not shown) . Moreover, the detecting means may 

30 be arranged to also detect other malfunctions of the LIN, 
such as a power failure or other failures, wherein the 
signaling means is arranged to issue a corresponding alarm 
to the LIG. 
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The LIG is arranged as a master of the LINs and provides a 
user interface 27 towards at least one LEA. The LIG can be 
a personal computer, minicomputer or mainfrcune. In 
particular, the LIG may be arranged to perform the 
5 following functions which may also be implemented as 
software or hardware elements- 

The interface 27 is arranged to provide the Xn interfaces 
to the at least one LEA, wherein an interface module may be 

10 provided for each LEA in case several LEAs are provided. 

Furthermore, a switching means 21 is provided for receiving 
intercepted data packets from the ATM WAN via the secure 
tunnel and for transmitting LIN settings and other control 
information via the switching means 14 to the control meeins 

15 15 of the LIN. 

Intercepted data packets and fake packets received via the 
secure txinnel are supplied from the switching means 21 to a 
decrypting mesms 22 which is arranged to remove the LIN 

20 encryption of the intercepted packets. Furthermore, an 

extracting means 23 may by provided for removing duplicates 
and possible fake packets or padding information. The 
intercepted data packets from which the LIN encryption and 
duplicates or fake packets have been removed are supplied 

2 5 to a time stamp generating means 24 where a time stamp is 

added to the intercepted data packets in order to provide a 
timing reference before storing the intercepted data 
packets in a memory 25 which constitutes a mass storage for 
intercepted information. 

30 

The time stamp should be added as soon as possible, or it 
may even have been added already at the corresponding LIN 
such that the time stamp generating means 24 can be 
dispensed with. Due to the time stamp, the intercepted 
35 information can be stored in the memory 25 before being 
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delivered to the LEA. Thereby, a real time processing is 
not recjuired. 

Furthermore, a control means 26 is provided in the LIG and 
5 arranged to control each element of the LIG. The control 
means 2 6 may comprise several control units for each LEA 
interface module of the interface 27. Moreover, the control 
means 26 may comprise the interception control unit for 
managing the LIN settings as a master function by 
10 transmitting a corresponding control information via a 

switching means 21 and 14 to the control mecuis 15 of the 
LIN. 

It is to be noted that the location of the LIN is not 
15 limited to an LAN segment, but the LIN may by implemented 
as a part of a GPRS element such as the GGSN or BG itself. 

In general, there are two ways to configure the LIN for the 
interception. One way is to deliver each intercept 

20 authorization to every LIN. This means that a complete 
target register defining target connections for 
interception is delivered to each LIN. If there are mcuiy 
target connections, the LIN has to check each data packet 
with respect to all target connections, which is a time 

25 consximing task* 

A more efficient way to configure the LIN is to store the 
whole target register only at the interception control unit 
which, as already mentioned, may be provided in the LIG or 
30 another network element. At each PDP context activation, 
the corresponding LIN transmits a copy of the activation 
request to the interception control unit which checks its 
target register as to whether a target connection is 
involved. If so, it configures the LIN for interception. 

35 
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At context deactivation or when the intercept request 
expires, a target is removed from an actual interception 
list provided in the LIN, 

Thus, the interception information controlling the LIN is 
part of the PDP (Packet Data Protocol) context held by the 
GPRS network elements and used to route the packets of a 
connection in a correct manner. The information on the 
target connections to be intercepted is stored in the PDP 
context information of the respective connections- The 
interception inf oannation stored in the PDP context is thus 
readily available each time a packet is being routed. 
Accordingly, the interception lists of the LINs can be kept 
very short, which leads to an increased processing speed of 
the LINs. However, since the contexts have a long lifetime, 
the interception control unit has to store a register of 
all active contexts, so that it cem check whether a target 
connection has any open session going on upon receipt of an 
intercept request from a LEA. If^so, the relevant LIN^ 
interception list is configured correspondingly. 

Moreover, the present invention is not limited to the 
described GPRS or UMTS network and can be used in various 
packet networks such as an IP network. Thus, the above 
description of the preferred embodiment and the 
accompanying drawings are only intended to illustrate the 
present invention. The preferred embodiment of the 
invention may vary within a scope of the attached claims . 

In summary, an interception method and system for 
performing a lawful interception in a packet network such 
as the GPRS or UMTS network is described. A first network 
element having an intercepting function for intercepting 
data packets is provided, said . interception function being 
controlled by an interception control means implemented in 
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a second network element^ wherein an intercepted data 
packet is transmitted from the first network element via 
the packet network to an interception gateway element 
providing an interface to a intercepting authority. The 
5 intercepted data packet is transmitted via a secure tunnel 
provided by an encryption processing: The interception 
control means and the interception gateway element may both 
be integrated in the second network element. The 
interception system has a clear advantage in scalability, 
10 no single point of failure, and an adaptation to different 
authority interfaces cem be in^lemented only in the 
interception gateway. The network elements can be similar 
to a high extent for all different authority requirements. 
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Claims 

5 1. An interception method for performing a lawful 

interception in a packet network, comprising the steps of: 

a) providing a first network element (IiXN) having an 
interception function for intercepting data packets; 

b) controlling said interception function by an 

10 interception control means (26) implemented in a second 
network element (X«XG) ; ajnd 

c) transmitting an intercepted data packet from said 
first network element (IjZN) via said packet network to an 
interception gateway element (XiXG) providing an interface 

15 to at least one intercepting authority (Z«&A.) • 

2 . A method according to claim 1 , wherein said 
interception gateway element (MG) is_ integrated in said 
second network element. 

20 

3. A method according to claim 1 or 2, wherein a header 
of a data packet is read by said network element (I«XN) and 
data packets to be intercepted are duplicated. 

25 4- A method according to any one of . the preceding claims, 
wherein said intercepted data packet is transmitted to said 
interception gateway element (IiIG) using a secure tunnel- 

5. A method according to claim 4, wherein said secure 
3 0 tunnel is implemented by an encryption processing- 

6- A method according to any one of the preceding claims, 
wherein said intercepted data packet is transmitted via 
interworking units (IWU) and encrypted between said 
35 interworking units, when said first network element (IjXN) 
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and said interception gateway element (Z«X6) are arranged in 
separate network segments . 

7, A method according to any one of the preceding claims, 
5 wherein said first network element is provided in each 

network segment of said packet network. 

8. A method according to any one of the preceding claims, 
wherein received intercepted data packets are collected in 

10 said interception gateway element (LZG) and supplied to an 
interface of said at least one intercepting authority 

S . A method according to claim 8, wherein said interface 
15 comprises a first interface for administrative tasks, a 
second interface for network signaling, emid a third 
interface for intercepted user data. 

10. A method according to^^ any one of the preceding claims , 
20 wherein said intercepting function coit^rises a packet 

sniffing a,nd filtering function. 

11. A method according to claim 10, wherein said 
intercepting function is implemented in the Gn interface. 

25 

12. A method according to any one of the preceding claims, 
wherein said interception function comprises reading data 
packets, analyzing the header of the data packets as to 
whether the data packet should be intercepted or not, and 

3 0 transmitting the data packet to said interception gateway 
element (ZjZG) , and a management function for interception 
and transmission criteria. 

13. A method according to any one of the preceding claims, 
3 5 wherein an alarm is transmitted, to said interception 
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gateway element (t*XG) and all interception information of a 
respective network element (IiXN) is deleted, when a 
breakage of a casing of the respective network element has 
been detected. 

5 

14. A method according to any one of the preceding claims; 
wherein fake packets are transmitted from said network 
element (IiXM) to said interception gateway element (I<XG) • 

10 15- A method according to claim 14, wherein said fake 
packets are transmitted at random or triggered at any 
passing packet, such that the total load of intercepted and 
fake packets transmitted to said interception gateway 
element (Z«I6) is constant. 

15 

16. A method according to any one of the preceding claims, 
wherein said intercepted data packet is padded to a maximum 
length. 

20 17. A method according to any one of the preceding claims, 
wherein a time information is added to said intercepted 
data packet. 

18. An interception system for performing a lawful 
25 interception in a packet network, comprising: 

a) a first network element (LIN) having an interception 

function for intercepting data packets and comprising a 

transmitting means (14) for transmitting an intercepted 

data packet to said packet network; 
30 b) an interception control means (26) implemented in a 

second network element (IjI6) and controlling the 

interception function; and 

c) an interception gateway element (I«XG) having a 
receiving means (21) for receiving said intercepted data 
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packet and an interface means (27) for providing an 
interface to at least one intercepting authority (IiEIX) - 

19. A system according to claim 18, wherein said second 
5 network element corresponds to said interception gateway 

element (I«XG) • 

20. A system according to claim 18 or 19, wherein said 
first network element (XiXN) further comprises an encrypting 

10 means (12) for encrypting said intercepted data packet. 

21- A system according to any one of claims 18 to 20, 
wherein said first network element (UN) further comprises 
a meeuis (13) for generating fake packets to be trcurismitted 
15 with said intercepted data packets. 

22. A system according to anyone of claims 18 to 21, 
wherein said first network element (X«IN) con^rises a 
reading mecuis (11) for reading a header of a received data 

20 packet and for duplicating a data packet to l3e intercepted. 

23. A system according to claim 22, wherein said reading 
means (11) is arrajnged to pad said copied data packet to a 
mcLximimi length. 

25 

24. A system according to anyone of claims 18 to 23, 
wherein said first network element (XilN) is a gateway 
element of said packet network. 

30 25. A system according to any one of claims 18 to 23, 

wherein said first network element (X*IN) is a BG, an SGSN 
or a GGSN. 

26. A system according to claim 24 or 25, wherein an 
35 interception information defining a data packet to be 
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intercepted is included in a context information supplied 
to said first network element (LIN) and used for routing 
data packets . 

5 27 , A system according to claim 26, wherein said 

interception control means <26) comprises a storing means 
for storing an interception list, and wherein said 
interception control means (26) is arranged to add said 
interception information to said context information 
10 supplied to said first network element. 

28. A system according to any one of claims 18 to 27, 
wherein said first network element (IiIN) is arranged in 
each segment of said packet network. 

15 

29. A system according to anyone of claims 18 to 28, 
wherein said first network element (I«IN) comprises a 
control means (15) for con tro llin g interception and 
encryption processing in accordance with an interception 

20 setting instruction received from said interception control 
means (26V • 

30. A system according to cunyone of claims 18 to 29, 
wherein said interception gateway element (X«I6) comprises a 

25 memory means (25) for storing received intercepted data 

packets before supplying them to said interface meajis (27). 

31. A system according to claim 30, wherein said 
interception gateway element (IiXG) comprises a decryption 

30 meeuas (22) for removing an encryption of the received 
intercepted data packets, an extraction means (23) for 
extracting intercepted data packets from fake data packets, 
and a means (24) for adding a time information to said 
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received intercepted data packets before storing them in 
said memory means (25) . 

32. A system according to any one of claims 18 to 31, 
5 wherein said first network element (IiXN) comprises a 

detecting means for detecting a malfunction ahd/or breakage 
thereof, and signaling means for signaling an alctrm to said, 
interception gateway element (I<ZG) in response to an output 
of said detecting mesuis . 

10 

33. A network element for a packet network, comprising: 

a) an interception means (11, 15) for intercepting a data 
packet received from said packet network, and 

b) a transmitting means (14) for transmitting said 
15 intercepted data packet via said packet network to an 

interception gateway element, 

c) wherein said interception means is controlled by an 
interception control means (26) arranged in another network 
element (IiZG) . - - - 

20 

34. An interception gateway element for aji interception 
system of a packet network, comprising: 

a) a receiving means (21) for receiving an intercepted 
data packet via said packet network from a network element 

25 (ZiIN) having an interception function; and 

b) an interface means (27) for providing an interface to 
an intercepting authority (IiElA) - 

35. An interception gateway element according to claim 34, 
30 further comprising an interception control means (26) for 

controlling said interception function of said network 
element (Z<IN) « 
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